Description

Hello Guys,
I'm currently investigating to use spring-ws along with spring-ws-security-2.13.RELEASE for my security use case.

I'm using Wss4jSecurityInterceptor based approach.

These are what I'm after:

I want to perform Encryption/Decryption using PKI for confidentiality.

I want to perform Signature verification.

I want to perform authentication using the UsernameToken scheme.

These are the caveats:

My user store is LDAP (where the password is already hashed and stored). I don't have access to the "clear text" password on the server side to be passed in the call back (AbstractWsPasswordCallbackHandler).

Here is one approach:

I would encrypt the UsernameToken (using the same PKI) and decrypt on the server side - This enables me to send the password as a "clear text" at the same time achieving message confidentiality.

However, this doesn't solve the problem of authenticating the user with LDAP because I don't have the "clear text" password in the server side.

Observations:
I was looking into Wss4jSecurityInterceptor.java and it appears to be that the securityEngine is defined as private final.I completely understand the reasons of being this the way it is as the clients shouldn't be able to alter the sensitive functionality and break the framework.

However, in my case, if this securityEngine was externalizable (injectable), I can provide my implementation of the engine which can then suppress the UsernameToken (password validation).

This helps me to then to get the Username and Password in my interceptor in the overridden checkResults method which can be used for LDAP Authentication. I will have the full access to the username and password here.